Expand +



No Reward Without Risk

3 Steps to Building a Risk-Aware Organization

by Marsha Reppy and Daniel Prior | SAPinsider, Volume 16, Issue 4

October 9, 2015

Is your organization risk aware? According to a global GRC survey conducted by EY, many companies could benefit from a risk management program that is more closely aligned with the overall business strategy. See how your organization can take 3 steps closer to becoming risk aware.


Operating a business requires taking risks. Organizations that identify and manage these risks well are positioned to grow and remain successful. To see how well organizations are performing in their risk management efforts, EY conducted a governance, risk, and compliance (GRC) survey of 1,196 participants around the globe and across industries.

We focused on an array of topics, including risk strategy, coordination of functions, internal audit, and technology, to gain a better understanding of how well organizations are managing risk today. Results showed that while organizations are making progress, further opportunities exist to improve the way that they identify, manage, and respond to risk.

A Comprehensive Approach

The results of the survey indicate that organizations are looking for a more comprehensive, coordinated, and innovative approach to enable them to successfully manage the opportunities and the hardships presented by risk. This requires transforming the way the organization views and capitalizes on risk — we call this building a risk-aware organization. With the knowledge that risks are a never-ending challenge and new risks will be encountered every day, companies can take a three-step approach to risk management.

Organizations are looking for a more comprehensive, coordinated, and innovative approach to enable them to successfully manage the opportunities and the hardships presented by risk.

Step 1: Advance Strategic Thinking

Challenge the way the organization categorizes, manages, and responds to risk by considering it in the context of business decisions and designing risk response plans to appropriately manage identified risks.

Nearly all organizations (97%) indicated that they have made progress in linking their risk management objectives and business objectives, but only 16% consider themselves to be closely linked today. While 66% of organizations indicated that risk management has limited involvement in business decision making, 90% expect to be directly involved or provide inputs within the next three years.

Step 2: Optimize Functions and Processes

Focus on what the organization is doing to optimally align functions by allocating talent and designing risk management processes to efficiently and effectively execute risk response plans across each of the lines of defense. Among respondents, 21% indicated that risk activities are well coordinated today, whereas 67% indicated that they expect risk activities to be well coordinated within three years.

Step 3: Embed Solutions

It’s important to integrate sustainable solutions throughout the organization to prevent, balance, and limit risk. This remains a significant opportunity as 46% of respondents indicated that they do not leverage GRC technology, such as SAP solutions for GRC, limiting their ability to continuously identify and monitor risks in an integrated fashion across their organization, with only 23% evaluating and adjusting their risk profile on a periodic basis.

For More Information

For the full results of the survey and our other thought leadership reports, visit

For more information on our risk services, including those focused on SAP controls, security, and GRC, email

An email has been sent to:


Marsha Reppy
Marsha Reppy


Dan Prior
Daniel Prior

Senior Manager

More from SAPinsider


Please log in to post a comment.